[squid-users] Squid bind each outgoing ip to a user?

Amos Jeffries squid3 at treenet.co.nz
Sun Apr 7 06:01:51 UTC 2019 

On 7/04/19 4:45 pm, jyliu wrote:
> I am trying to use squid and bind 2 outgoing ips separately to 2 users.
> 
> The ideal results will be, I can access the following:
> 
> xxx.xxx.xxx.14:3128:user1:user1password 
> xxx.xxx.xxx.18:3128:user2:user2password
> 
> But not:
> 
> xxx.xxx.xxx.14:3128:user2:user2password 
> xxx.xxx.xxx.18:3128:user1:user1password
> 
> I find a similar question on stackoverflow and thus use a similar
> squid.conf:
> 
> 
> acl http proto http
> acl port_80 port 80
> acl port_443 port 443
> acl CONNECT method CONNECT
> 
> 
> auth_param basic program /usr/lib64/squid/basic_ncsa_auth
> /etc/squid/passwords
> acl ncsa_users proxy_auth REQUIRED
> external_acl_type userIp %SRC %LOGIN /usr/lib64/squid/ext_file_userip_acl -f
> /etc/squid/userIp.conf
> 
> acl userIp external userIp
> 
> http_access deny !ncsa_users
> http_access allow userIp
> http_access deny all
> 
> http_port 3128
> acl ip1 myip xxx.xxx.xxx.14
> tcp_outgoing_address xxx.xxx.xxx.14 ip1
> 
> acl ip2 myip xxx.xxx.xxx.18
> tcp_outgoing_address xxx.xxx.xxx.18 ip2
> 
> 
> And in my userIp.conf I have:
> 
> 
> xxx.xxx.xxx.14 user1
> xxx.xxx.xxx.18 user2
> 
> 
> And in my /etc/squid/passwords I have the following created by htpasswd:
> 
> 
> user1:encrypted password
> user2:encrypted password
> 
> The problem is: if I delete* 'http_access deny !ncsa_users'*, then user1 can
> access both xxx.xxx.xxx.14 and xxx.xxx.xxx.18. Same with user2.

... because they are no longer required to login to have their requests
serviced by the proxy.

> 
> But if I keep* 'http_access deny !ncsa_users'* as it is, then all connection
> fails.

Fails how?

 Squid sending back a 401/407 "please give your credentials" response?

 Squid delivering a 403 forbidden response?

 Squid not breaking HTTP to cause the IP mapping you wanted to see?

 Something else?



> 
> I feel *'http_access allow userIp'* doesn't work as it intends to.

"feelings" are irrelevant here. These ACL rules are algorithms. They can
be calculated and most importantly their calculations can be viewed.

 Please add "-d" command line option to your squid.conf helper lines to
see what the helpers are actually doing.

 And "debug_options 11,2 28,5" to your squid.conf see what is actually
going on.


Amos

More information about the squid-users mailing list